Does such a project via Github (which is Microsoft) deserve trust? I'm not so sure about that.
That's unwarranted.
Source is controlled via git, the code in the repo can be trivially audited against the developer's known-good repo, and they encourage contributors to sign their commits with GnuPG. What more do you want?
MS has invested literally *billions* of dollars in making GitHub a trusted software source, a solution to the (very big) industry problem of supply chain security. If MS were to do any shenanigans with GitHub, any at all, billions of dollars of value could be lost in a single day. They have a very large financial interest in being an honest broker.
I may not trust Microsoft very much, but I trust their desire to make money.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
